Backport of the patch to fix the insecure VIM

This is a backport of the patch: https://review.openstack.org/#/c/532525/4 Change-Id: I17af91d6041c4e41f6d479da742e96ea45ae31f7 Signed-off-by: Manuel Buil <mbuil@suse.com>
2018-01-15 15:33:38 +01:00 · 2018-01-15 15:33:38 +01:00 · 593762fb78
parent 682c965108
commit 593762fb78
4 changed files with 43 additions and 2 deletions
--- a/tackerclient/tacker/v1_0/nfvo/vim_utils.py
+++ b/tackerclient/tacker/v1_0/nfvo/vim_utils.py
@ -24,6 +24,7 @@ def args2body_vim(config_param, vim):
    :param vim: vim request object
    :return: vim body with args populated
    """
+    cert_verify_type = ['True', 'False']
    vim['vim_project'] = {'name': config_param.pop('project_name', ''),
                          'project_domain_name':
                              config_param.pop('project_domain_name', '')}
@ -31,10 +32,16 @@ def args2body_vim(config_param, vim):
        raise exceptions.TackerClientException(message='Project name '
                                                       'must be specified',
                                               status_code=404)
+    cert_verify = config_param.pop('cert_verify', 'True')
+    if cert_verify not in cert_verify_type:
+        raise exceptions.TackerClientException(
+            message='Supported cert_verify types: True, False',
+            status_code=400)
    vim['auth_cred'] = {'username': config_param.pop('username', ''),
                        'password': config_param.pop('password', ''),
                        'user_domain_name':
-                            config_param.pop('user_domain_name', '')}
+                            config_param.pop('user_domain_name', ''),
+                        'cert_verify': cert_verify}


 def validate_auth_url(url):
--- a/tackerclient/tests/unit/vm/samples/vim_config_with_false_cert_verify.yaml
+++ b/tackerclient/tests/unit/vm/samples/vim_config_with_false_cert_verify.yaml
@ -0,0 +1,7 @@
+auth_url: 'http://1.2.3.4:5000'
+username: 'xyz'
+password: '12345'
+project_name: 'abc'
+project_domain_name: 'prj_domain_name'
+user_domain_name: 'user_domain_name'
+cert_verify: 'False'
--- a/tackerclient/tests/unit/vm/test_cli10_vim.py
+++ b/tackerclient/tests/unit/vm/test_cli10_vim.py
@ -38,7 +38,8 @@ class CLITestV10VIMJSON(test_cli10.CLITestV10Base):
            'name': 'abc',
            'project_domain_name': 'prj_domain_name'}
        self.auth_cred = {'username': 'xyz', 'password': '12345',
-                          'user_domain_name': 'user_domain_name'}
+                          'user_domain_name': 'user_domain_name',
+                          'cert_verify': 'True'}
        self.auth_url = 'http://1.2.3.4:5000'

    def test_register_vim_all_params(self):
@ -61,6 +62,30 @@ class CLITestV10VIMJSON(test_cli10.CLITestV10Base):
                                   args, position_names, position_values,
                                   extra_body=extra_body)

+    def test_register_vim_with_false_cert_verify(self):
+        cmd = vim.CreateVIM(test_cli10.MyApp(sys.stdout), None)
+        name = 'my-name'
+        my_id = 'my-id'
+        # change cert_verify to False
+        self.auth_cred = {'username': 'xyz', 'password': '12345',
+                          'user_domain_name': 'user_domain_name',
+                          'cert_verify': 'False'}
+        description = 'Vim Description'
+        vim_config = utils.get_file_path(
+            'tests/unit/vm/samples/vim_config_with_false_cert_verify.yaml')
+        args = [
+            name,
+            '--config-file', vim_config,
+            '--description', description]
+        position_names = ['auth_cred', 'vim_project', 'auth_url']
+        position_values = [self.auth_cred, self.vim_project,
+                           self.auth_url]
+        extra_body = {'type': 'openstack', 'name': name,
+                      'description': description, 'is_default': False}
+        self._test_create_resource(self._RESOURCE, cmd, None, my_id,
+                                   args, position_names, position_values,
+                                   extra_body=extra_body)
+
    def test_register_vim_with_no_auth_url(self):
        cmd = vim.CreateVIM(test_cli10.MyApp(sys.stdout), None)
        my_id = 'my-id'
--- a/tackerclient/tests/unit/vm/test_vim_utils.py
+++ b/tackerclient/tests/unit/vm/test_vim_utils.py
@ -28,6 +28,7 @@ class TestVIMUtils(testtools.TestCase):
                        'username': sentinel.usrname1,
                        'password': sentinel.password1,
                        'project_domain_name': sentinel.prj_domain_name1,
+                        'cert_verify': 'True',
                        'user_domain_name': sentinel.user_domain.name, }
        vim = {}
        auth_cred = config_param.copy()
@ -43,6 +44,7 @@ class TestVIMUtils(testtools.TestCase):
    def test_args2body_vim_no_project(self):
        config_param = {'username': sentinel.usrname1,
                        'password': sentinel.password1,
+                        'cert_verify': 'True',
                        'user_domain_name': sentinel.user_domain.name, }
        vim = {}
        self.assertRaises(exceptions.TackerClientException,